Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/media
History
Zheng Wang f56156a55e media: venus: fix use after free bug in venus_remove due to race condition 
commit c5a85ed88e043474161bbfe54002c89c1cb50ee2 upstream.

in venus_probe, core->work is bound with venus_sys_error_handler, which is
used to handle error. The code use core->sys_err_done to make sync work.
The core->work is started in venus_event_notify.

If we call venus_remove, there might be an unfished work. The possible
sequence is as follows:

CPU0                  CPU1

                     |venus_sys_error_handler
venus_remove         |
hfi_destroy	 		 |
venus_hfi_destroy	 |
kfree(hdev);	     |
                     |hfi_reinit
					 |venus_hfi_queues_reinit
                     |//use hdev

Fix it by canceling the work in venus_remove.

Cc: stable@vger.kernel.org
Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-23 23:21:45 +01:00
..
cec Revert "media: cec: core: avoid confusing "transmit timed out" message" 2024-11-19 14:03:20 +01:00
common media: v4l2-tpg: fix some memleaks in tpg_alloc 2024-11-19 08:44:51 +01:00
dvb-core media: dvbdev: Initialize sbuf 2024-11-19 14:19:32 +01:00
dvb-frontends drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error 2024-11-23 23:21:25 +01:00
firewire Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
i2c media: tc358743: register v4l2 async device only after successful setup 2024-11-19 08:44:51 +01:00
mc media: mc: mark the media devnode as registered from the, start 2024-11-19 12:27:17 +01:00
mmc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
pci media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) 2024-11-23 23:20:47 +01:00
platform media: venus: fix use after free bug in venus_remove due to race condition 2024-11-23 23:21:45 +01:00
radio media: radio-isa: use dev_name to fill in bus_info 2024-11-23 23:20:44 +01:00
rc lirc: rc_dev_get_from_fd(): fix file leak 2024-11-23 23:20:18 +01:00
spi Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
test-drivers media: vivid: don't set HDMI TX controls if there are no HDMI outputs 2024-11-23 23:21:03 +01:00
tuners media: xc4000: Fix atomicity violation in xc4000_get_frequency 2024-11-19 09:22:15 +01:00
usb media: usbtv: Remove useless locks in usbtv_video_free() 2024-11-23 23:21:36 +01:00
v4l2-core media: v4l2-core: hold videodev_lock until dev reg, finishes 2024-11-19 12:27:17 +01:00
Kconfig Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00